Gitlab CI 运行程序无法公开嵌套 Docker 容器的端口 [英] Gitlab CI runner not able to expose ports of nested Docker containers
问题描述
当使用 GitLab CI 以及 gitlab-ci-multi-runner 时,我无法让内部启动的 Docker 容器将它们的端口暴露给主机",这是运行构建的 Docker 映像.
When using GitLab CI, as well as the gitlab-ci-multi-runner, I'm unable to get internally-started Docker containers to expose their ports to the "host", which is the Docker image in which the build is running.
我的.gitlab-ci.yml文件:
test:
image: docker
stage: test
services:
- docker:dind
script:
- APP_CONTAINER_ID=`docker run -d --privileged -p "9143:9143" appropriate/nc nc -l 9143`
- netstat -a
- docker exec $APP_CONTAINER_ID netstat -a
- nc -v localhost 9143
我的命令:
gitlab-ci-multi-runner exec docker --docker-privileged test
输出:
$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 runner--project-1-concurrent-0:54664 docker:2375 TIME_WAIT
tcp 0 0 runner--project-1-concurrent-0:54666 docker:2375 TIME_WAIT
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
$ docker exec $APP_CONTAINER_ID netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:9143 0.0.0.0:* LISTEN
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
$ nc -v localhost 9143
ERROR: Build failed: exit code 1
FATAL: exit code 1
我在这里做错了什么?
原始问题如下 - 以上是一个更短、更易于测试的示例
我有一个侦听端口 9143 的应用程序映像.它的启动和配置通过 docker-compose.yml 进行管理,并且在我的本地机器上使用 docker-compose up 运行良好 - 我可以访问 localhost:9143 没有问题.
I have an application image that listens on port 9143. Its startup and config is managed via docker-compose.yml, and works great on my local machine with docker-compose up - I can access localhost:9143 without issue.
但是,当通过共享运行器在 GitLab CI(gitlab.com 版本)上运行时,端口似乎没有暴露.
However, when running on GitLab CI (the gitlab.com version) via a shared runner, the port doesn't seem to be exposed.
我的.gitlab-ci.yml的相关部分:
test:
image: craigotis/buildtools:v1
stage: test
script:
- docker login -u gitlab-ci-token -p $CI_BUILD_TOKEN registry.gitlab.com/craigotis/myapp
- docker-compose up -d
- sleep 60 # a temporary hack to get the logs
- docker-compose logs
- docker-machine env
- docker-compose port app 9143
- netstat -a
- docker-compose ps
- /usr/local/bin/wait-for-it.sh -h localhost -p 9143 -t 60
- cd mocha
- npm i
- npm test
- docker-compose down
输出为:
$ docker-compose logs
...
app_1 | [Thread-1] INFO spark.webserver.SparkServer - == Spark has ignited ...
app_1 | [Thread-1] INFO spark.webserver.SparkServer - >> Listening on 0.0.0.0:9143
app_1 | [Thread-1] INFO org.eclipse.jetty.server.Server - jetty-9.0.z-SNAPSHOT
app_1 | [Thread-1] INFO org.eclipse.jetty.server.ServerConnector - Started ServerConnector@6919dc5{HTTP/1.1}{0.0.0.0:9143}
...
$ docker-compose port app 9143
0.0.0.0:9143
$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 runner-e11ae361-project-1925166-concurrent-0:53646 docker:2375 TIME_WAIT
tcp 0 0 runner-e11ae361-project-1925166-concurrent-0:53644 docker:2375 TIME_WAIT
tcp 0 0 runner-e11ae361-project-1925166-concurrent-0:53642 docker:2375 TIME_WAIT
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
$ docker-compose ps
stty: standard input: Not a tty
Name Command State Ports
----------------------------------------------------------------------------------------
my_app_1 wait-for-it.sh mysql_serve ... Up 8080/tcp, 0.0.0.0:9143->9143/tcp
mysql_server docker-entrypoint.sh --cha ... Up 3306/tcp
$ /usr/local/bin/wait-for-it.sh -h localhost -p 9143 -t 60
wait-for-it.sh: waiting 60 seconds for localhost:9143
wait-for-it.sh: timeout occurred after waiting 60 seconds for localhost:9143
我的docker-compose.yml的内容:
version: '2'
networks:
app_net:
driver: bridge
services:
app:
image: registry.gitlab.com/craigotis/myapp:latest
depends_on:
- "db"
networks:
- app_net
command: wait-for-it.sh mysql_server:3306 -t 60 -- java -jar /opt/app*.jar
ports:
- "9143:9143"
db:
image: mysql:latest
networks:
- app_net
container_name: mysql_server
environment:
- MYSQL_ALLOW_EMPTY_PASSWORD=true
似乎我的应用程序容器正在侦听 9143,并且它已正确公开给共享的 GitLab 运行程序,但它似乎实际上并未公开.它在我的本地机器上运行良好 - 是否有一些特殊的解决方法/调整我需要在 GitLab 上运行的 Docker 容器内部完成这项工作?
It seems like my application container is listening on 9143, and it's properly exposed to the shared GitLab runner, but it doesn't seem to actually be exposed. It works fine on my local machine - is there some special workaround/tweak I need to make this work inside a Docker container running on GitLab?
推荐答案
官方 gitlab.com 文档上的 gitab-ci 指的是 PostgreSQL 示例
它的工作 CI 并没有试图连接到本地主机,而是连接到 服务名称
Its working CI does not try to connect to localhost, but rather to the service name
services 关键字仅定义在构建期间运行的另一个 docker 映像,并链接到 image 关键字定义的 docker 映像.这允许您在构建期间访问服务映像.
The
serviceskeyword defines just another docker image that is run during your build and is linked to the docker image that the image keyword defines. This allows you to access the service image during build time.
MySQL 的服务容器将可以在主机名 mysql 下访问.
因此,为了访问您的数据库服务,您必须连接到名为 mysql 的主机而不是套接字或 localhost.
The service container for MySQL will be accessible under the hostname mysql.
So, in order to access your database service you have to connect to the host named mysql instead of a socket or localhost.
您可以检查这是否适用于您的情况,并尝试在 app:9143 而不是 localhost:9143 中访问您的应用程序服务.
You could check if this applies in your case, and try accessing your application service in app:9143 instead of localhost:9143.
这篇关于Gitlab CI 运行程序无法公开嵌套 Docker 容器的端口的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
